CyptoJacking Campaign Used Two Malware Strains to Target IoT and Linux Devices

Unknown threat actors have been running a malware campaign targeting Linux and IoT machines using two malware strains designed to install CNRig and CoinHive Monero cryptominers after deleting competing miners.

The cyptojacking campaign discovered by Anomali Labs‘ research team ran between August and October 2018, with the Linux Rabbit initial campaign being active during August and targeting only Linux boxes, while the second one dubbed Rabbot operated from September to October, adding IoT devices to its target list.

Both Linux Rabbit and Rabbot campaigns were designed to detect the architecture of the machine they infiltrated and installed a cryptominer executable designed explicitly for that specific machine.

Moreover, the Linux Rabbit malware was used by the bad actors to scan for and compromise targets from Russia, South Korea, the UK, and the US, subsequently getting in touch with its command-and-control (C2) server via a TOR encrypted communication channel.

The next step was to achieve persistence on the Linux box using rc.local and .bashrc files and to hack into the local SSH server with the help of a hard-coded list of credentials for brute-forcing is way into the server.

During the next step, “Linux Rabbit attempts to install both “CNRig” and “CoinHive” Monero miners onto the machine, but only one will actually successfully install depending on what type of architecture the machine is,” says Anomali Labs.

Rabbot used a self-propagating worm to find and compromise new IoT targets

Also, “If the machine is a x86-bit, it will install CNRig Monero miner and if the machine is an ARM/MISP, it will install CoinHive.”

Furthermore, if it detects a web server running on the compromised Linux box, Linux Rabbit will also inject CoinHive script tags into every HTML file it finds on the server.

Additionally, as an intermediary step, the malware will also start a scanning process for other crypto miners running on the infected Linux server, deleting them before installing its own Monero miner.

The Rabbot campaign used a self-propagating malware that shares the same code with the Linux Rabbit strain, with an extra feature: the capability of infecting unpatched IoT devices with no specific geolocation requirements.

In a nutshell, Anomali Labs’ discovered that Rabbot’s behavior is identical to Linux Rabbit’s with the only significant difference being that the former will drop and execute both architecture specific cryptominer payloads.